A Roundup of All the Current iOS 10 and 11 Jailbreak Developments

2017-12-191470Posted by 3uTools

We now hear incremental updates about jailbreaking, sometimes multiple times a day, which are more technical and reinforce, modify, or even invalidate previous news. That’s why we’ve put together a quick round-up of the current state of affairs, which will bring you up to date.

The exploits

There are two exploits at play here, but they both use the same vulnerability. What this means is that they both capitalise on the same fundamental weakness in iOS, but that the methods they use to do so are unrelated. For iOS 10.x (up to and including iOS 10.3.3), we have v0rtex by Siguza. The source code for this exploit has been out for a while, as well as a useful write-up for other developers. Interestingly, this exploit can also be adapted for 32-bit devices, and may well be.

For iOS 11.x (up to and including iOS 11.1.2, not higher), we have async_wake by Ian Beer. He is known for finding iOS bugs as part of Google’s Project Zero, and was responsible for the bug behind the extra_recipe tool too.

The problems

Just because we have an exploit doesn’t mean we have a jailbreak tool yet. The raw code of the exploits must be combined with various patches to create what the average user would consider a jailbreak. These include disabling iOS protections (such as amfi), enabling filesystem access (r/w on /), and more.

Various offsets are usually also required to add support for all devices. It must then be wrapped into a foolproof package containing Cydia and Substrate, which may themselves need changes to work with a new jailbreak’s quirks.

Additionally, the iPhone 7 (Plus) and all newer devices have hardware protections which could require an extra workaround to avoid. So even a full jailbreak for older models does not necessarily mean the job is done for the recent flagships.

A solution to KTTR hardware protection on the iPhone 7 and newer might be needed; older devices would not need this

It seems that every one of the above things is being worked on to some extent currently, which is encouraging. Versions of the exploit which bundle a file browser and SSH are already floating around, though they are far from complete as of yet. I would hold off on trying anything until it’s all come together under one roof. All in all, it’s looking pretty hopeful!

A bypass for KPP, or a KPP-less approach. The latter is looking more likely now, though it will require a re-write of Cydia Substrate

Patches to amfi for unsigned code execution

Cydia and Substrate to be packaged with it

A solution to KTTR hardware protection on the iPhone 7(+) might be needed; older devices would not need this

Offsets added to properly support all devices

32-bit support – this might come from tihmstar at some point

It currently looks like the iOS 11 work is slightly ahead of iOS 10, probably due to community enthusiasm, though v0rtex can make use of more already-known techniques. I think it won’t be long before they’re both finished, to some usable extent.

The exploit present in <=iOS 11.1.2, and used by async_wake, is also present in <=tvOS 11.1! This means that a liberTV jailbreak for both the Apple TV 4 and 4K is possible using the same work. Based on Jonathan Levin’s comments it looks like it will be happening too, though patience is requested.

Jailbreak toolkit

Also from Levin, this developer toolkit aims to make constructing a jailbreak easier on future occasions, by providing certain core functionalities that can simply be combined with new exploits as they become available. Not much more information is available, but it is due to be released soon.

32-bit

A final jailbreak is now possible for legacy devices, meaning they will be capable of being jailbroken for their remaining lifespan. v0rtex has the potential to work on 32-bit, and will surely eventually arrive.

Saïgon

The iOS 10.2.1 tool now uses v0rtex to jailbreak, making it more reliable. It’s also good news because it gives v0rtex an already completed tool to piggyback on. This could increase the speed with which v0rtex becomes a full jailbreak, because some of the patches and wrapping up have already been done in Saïgon. We’ll have to see if that turns out to be true.

v0rtexNonce

This tool uses the vortex exploit to set a nonce on your device on iOS 10.3.x. This allows A7 devices to futurerestore to iOS 10.x and iOS 11.x, and other devices to futurerestore to iOS 11.x. This will be useful to move to iOS 11.1.2 later, to jailbreak with async_wake.

futurerestore/Prometheus

A final piece of encouraging news, though it has not been thoroughly tested yet, is that futurerestore may work on iOS 11 after all. With a few minor updates the tool still runs, and an early test seems to have shown that the iOS 11.2 SEP and baseband are compatible with iOS 11.1.2. This means, as I optimistically predicted previously, that people who saved iOS 11.1.2 blobs when it was being signed might be able to jump to iOS 11.1.2 at a later date, after async_wake is finished.

To work, futurerestore requires a SEP and baseband from a currently signed firmware, so if all the signed firmwares have a SEP incompatible with the version you want to move to, it will fail. This was what killed futurerestores to iOS 10: all the signed SEPs (iOS 11) are incompatible. Only A7 devices such as the iPhone 5s can futurerestore to iOS 10 now.